Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1- Not a lot of github sensitive exposures, since i already made full video for that in BC university.
- 2- I spoke about creating specific wordlist for each target, depending on the patterns i notice in each target
- wordlist will be initially with 3-5 files paths for each known technology,then i add to it robots dissallowed for the target company, thats the baseline, i add the subdomains to list (yes it happens with some companies http://whatever.corp.example.com/whatever/) and MOST important part is gathering paths & endpoints from github for the company, path might be for an internal host, but its also there on production ones, you cant just depend on seclists and known wordlists for that.
- 3- gathering subdomains form github for each target , the 1M list is good but not enough, from github you get to see other subdomains like as ex for kubernetes : k8s-prd k8s depending on the company ..etc
- you can use this https://github.com/gwen001/github-search for points 2-3.
- 4- this is nice and updated if you know how to clean the lists and use it with yours https://github.com/milo2012/pathbrute (defaultPaths.txt,cvePaths.txt,packetstormPaths.txt,webappPaths.txt)
- 5- The new beta shodan is very nice, examples"
- it can help gathering subs easily https://beta.shodan.io/domain/paypal.com
- easy sorting https://beta.shodan.io/search/facet?query=ssl%3Aoath+port%3A%22443%22&facet=org
- 6- when i have time to hunt for a month i subscribe for a month with shodan small business plan (299$) which gives you :
- Features
- Up to 20 million results per month *
- Scan up to 65,536 IPs per month
- Network Monitoring for 65,536 IPs
- Access to most filters
- Allows paging through results
- Basic access to the Streaming API
- Commercial Use
- E-Mail support
- Vulnerability search filter
- there API is amazing
- 7- I Use this to manage my projects, its underrated i highly recommend trying it, its free and amazing https://github.com/intrigueio/intrigue-core
- 8- I keep monitoring changes on all subs i gathered.
- 9- I tend to be selective and more focused on what others ignore (302,403,401) and i always find endpoints reachable, and got 3-4 critical bugs based on that when (302,401,401) bypassed, mainly endpoints that gathered from github.
- 10- Its good to make honeypots with technologies like ruby, weblogic, ..etc , there is a lot of CVE'S but not a lot of public exploits, some people keep their exploits for themselves, and they might use them on your honeypots.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement